I have a Debian 7.7 system I am trying to configure to use Kerberos and NIS, both served from an Active Directory server.
I have kerberos set up such that I can kinit a set of credentials from the AD server.
I have NIS set up such that I can su - $USER to an AD user and everything works.
I just can't log in as the user.
When I log in through the console, I get these logs in the auth.log:
Nov 5 10:22:41 debian login[3888]: pam_krb5(login:auth): pam_sm_authenticate: entry Nov 5 10:22:45 debian login[3888]: pam_krb5(login:auth): (user dmackintosh) attempting authentication as dmackintosh@AD.$ZONE Nov 5 10:22:45 debian login[3888]: pam_krb5(login:auth): user dmackintosh authenticated as dmackintosh@AD.$ZONE Nov 5 10:22:45 debian login[3888]: pam_krb5(login:auth): (user dmackintosh) temporarily storing credentials in /tmp/krb5cc_pam_54ruC8 Nov 5 10:22:45 debian login[3888]: pam_krb5(login:auth): pam_sm_authenticate: exit (success) Nov 5 10:22:45 debian login[3888]: Authentication failure When I log in through ssh, I get:
Nov 5 10:24:00 debian sshd[7641]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (nonull) Nov 5 10:24:00 debian sshd[7641]: pam_krb5(sshd:auth): (user dmackintosh) attempting authentication as dmackintosh@AD.$ZONE Nov 5 10:24:00 debian sshd[7641]: pam_krb5(sshd:auth): user dmackintosh authenticated as dmackintosh@AD.$ZONE Nov 5 10:24:00 debian sshd[7641]: pam_krb5(sshd:auth): (user dmackintosh) temporarily storing credentials in /tmp/krb5cc_pam_NQ9vhz Nov 5 10:24:00 debian sshd[7641]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (success) Nov 5 10:24:00 debian sshd[7641]: Failed password for dmackintosh from 10.8.0.21 port 47234 ssh2 Nov 5 10:24:00 debian sshd[7641]: fatal: Access denied for user dmackintosh by PAM account configuration [preauth] In both cases, the login attempt is immediately kicked out. I know the password is correct because A) it passes the kinit test and B) if I deliberately type the wrong password, I get a your-password-is-wrong wait before the password is prompted for again.
The configuration of PAM is pretty much stock as per /usr/share/doc/libpam-krb5/README.Debian. Only PAM debugging statements have been added.
SSH has been changed to enable the GSSAPIAuthentication and GSSAPICleanupCredentials options, but that didn't seem to make a difference.
I have this working with CentOS 5 and 6, so it has to be a configuration problem on the debian system somewhere.
I know that the internet wants me to do this with LDAP rather than NIS, but I have to keep NIS around for "reasons".
Update: I have discovered that if there is an entry in /etc/shadow for the user, it works. This totally defeats the purpose of using NIS, but anyways. This leads me to believe it is a problem with my /etc/nsswitch.conf file, which looks as so:
passwd: files nis group: files nis shadow: files nis hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis automount: nis Update2: I have discovered that without the extra information in /etc/shadow, getent shadow does not return the NIS shadow information which is visible from ypcat shadow. I have also discovered that Gentoo and Ubuntu are similarly affected; RH-family distros do not seem to be, even though RH-family systems don't return the contents of the shadow NIS map through getent.
